Issue link: http://cp.revolio.com/i/886554
L ong-term cybersecurity is only possible for companies that learn to think about things differently. Rather than putting more energy into keeping people out, organizations must start taking action that will miti- gate the damage once a hacker gets in. THE POINT OF DIMINISHING RETURNS Even when a data center's physi- cal and network defenses are in line with industry best practices, there are always additional steps the company can take. Security cameras can be upgraded, biometric scanners can be added to every entrance, newer and more sophisticated firewalls can be in- stalled. Some newer facilities have even been constructed with 10-foot-high earthworks around their perimeters. Each step beyond standard prac- tice, however, becomes more expensive and more complicated to implement. Companies considering extraordinary security measures should examine whether the investment will make a meaningful real-world difference in preventing attacks. On the network-security side, new products are constantly enter- ing the market as firewall vendors try desperately to keep pace with evolving attack methods and newly exposed vulnerabilities. Each new appliance offers higher performance and protection against more threats, but as history has shown, hackers are always a step ahead. As important as network defense may be, organizations should view it as a losing battle in the long term. A determined attacker will always find a way in. Adding new layers of physical se- curity may be even less effective. Phys- ical defenses are especially expensive and time consuming to implement, and they therefore represent a major sunk cost when they become obsolete. New physical systems can also create a need for additional maintenance or security staff, which runs against the common data center security principle of keeping on-site personnel counts as low as possible. Perimeter defenses also tend to leave companies vulnerable to insider threats. Once an industrial spy or other malicious insider gains access to an organization's systems, there's oen little else to prevent large-scale sabotage or the. A NEW PARADIGM Acknowledging the limitations of network and physical security isn't admitting defeat. Rather, once organi- zations learn to take a realistic view of their security programs, they can avoid unnecessary expenses and allocate their resources to measures that will protect what really matters: the data stored in their facilities. e "datacentric" approach to cybersecurity focuses on protecting sensitive information itself rather than the devices, networks or facilities that contain it. e primary goal of data- centric security is to ensure that data remains permanently inaccessible to unauthorized parties, even in the event of a security breach. e most com- mon (and effective) form of data pro- tection is encryption, although other technologies such as tokenization can be used for similar purposes. Datacentric security strategies have been gaining popularity for sever- al years, for reasons that become more obvious with each new data breach. If Equifax, for example, had protected its data with strong encryption, it would hardly matter that hackers stole highly sensitive data on 143 million people. e stolen data would be useless to anyone without the decryption key, so consumers wouldn't need to worry about their private information being sold or used, and Equifax would have been spared the massive financial and PR damage it brought on itself. Datacentric security also posi- tions a company to comply with of a new breed of cybersecurity regula- tions. Governments around the world have begun to pass laws that require data controllers and data processors to keep consumer information safe or face severe penalties. In addition to the European Union's widely-publicized General Data Protection Regulation (which takes effect next May), data- protection bills have been proposed in the U.K., Germany and elsewhere. In the U.S., New York State's Department of Financial Services recently implemented regulations that require banks and other companies to use encryption or similar forms of data protection for sensitive information. Given the growing public outrage over data breaches, it seems certain that additional data-protection legislation is on the way. BECOMING DATACENTRIC Shiing to a datacentric security strategy can be a major change, espe- cially for companies that have focused solely on perimeter and device secu- rity. With the right approach, however, even the largest and most complex organization can implement an effec- tive data-protection program. Best-practice guides such as the National Institute of Standards and Technology's Cybersecurity Frame- work are valuable resources for com- panies interested in developing and implementing a datacentric strategy. Organizations should also consider the regulatory obligations they must meet under the GDPR or other data-protec- tion laws when developing a strategy. 24 | THE DATA CENTER JOURNAL www.datacenterjournal.com